Db2 11 for z/OS support for z/OS data set encryption

Customers have been telling us that they lack adequate safeguards to protect data in Db2 for z/OS from viewing by unauthorized internal personnel. In Db2 11 for z/OS, we address that problem by introducing enhancements that provide a simple, transparent, and consumable approach to enabling pervasive encryption of data at rest. This same function is also available as a base release enhancement to Db2 12 for z/OS.

You can enable this solution without application outages. Using this solution can significantly reduce the people and hardware costs associated with protecting data and achieving compliance mandates.

The Db2 11 implementation requires no changes to your Db2 subsystems. To implement the new encryption features, your security or storage administrator enables z/OS DFSMS data set encryption on your Db2 11 data sets. z/OS DFSMS data set encryption is a new hardware and software solution that is introduced in z/OS V2R3, and is also available through z/OS V2R2 APARs.

DFSMS data set encryption uses a key label to encrypt and decrypt the data. The key label is a string from 1 to 64 bytes that identifies a protected data key in the ICSF key repository.

You can protect all your Db2 system-managed and user-managed objects with DFSMS data set encryption:

Active logs, and archive logs on DASD

Catalog and directory, and indexes on the catalog

User table spaces and indexes

Most utility data sets, including temporary work files, data files for loading and unloading, and image copy data sets

After the data sets are encrypted, you can perform SQL and run utilities with confidence that your data is protected.